In light of the explosive Pegasus Project revelations, PRASHANT PANDEY explains you need to know about the spyware Pegasus: how it works, what technological vulnerabilities it exploits, how similar spyware is sold and marketed, and its previous appearances in India and abroad.

—–

The recent Pegasus Project revelations of about half a lakh people across the world, including several in India, being targeted for cyber surveillance has firmly brought the spotlight on the Pegasus spyware, which is widely understood to be the most sophisticated smartphone attack tool. The revelations also mark the first time that a malicious remote jailbreak exploit had been detected within an iPhone. 

Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple’s iOS & Google’s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to “vetted governments” for “lawful interception”, which is understood to mean combating terrorism and organised crime, as the firm claims, but suspicions exist that it is availed for other purposes.

NSO Group’s majority ownership vests its co-founders Omri Lavie and Shalev Hulo, and the European private equity fund Novalpina Capital. An American private equity firm, Francisco Partners, holds a minority stake in the firm.

Pegasus burst into global prominence in August 2016 after a failed attempt of installing it on the iPhone of Emirati human rights activist Ahmed Mansoor was detected when he received a series of SMSs promising “new secrets” about torture happening in prisons in the United Arab Emirates (UAE) if he clicked on certain URL/web links. 

Mansoor got suspicious about the messages and reached out to the information controls research laboratory Citizen Lab to examine the SMSs. Citizen Lab’s investigation revealed that if Mansoor had followed the link, his phone would have been jailbroken on the spot and spyware implanted into it. Citizen Lab linked the attack to NSO Group by the IP address embedded in the text. Its report details the spyware’s abilities, and the security vulnerabilities it exploited.

Both the New York Times and The Times of Israel have reported that the UAE has apparently been using this spyware since as early as 2013.

Two months after the murder and dismemberment of Saudi Arabian journalist and dissident Jamal Khashoggi at the Saudi consulate in Istanbul, Turkey, his friend and fellow Saudi dissident Omar Abdulaziz, a Canadian resident, filed a lawsuit against the NSO Group. The suit, filed at an Israeli court, accused the firm of providing the Saudi government with spyware to snoop on him and his associates, including Khashoggi.

Also read: Phones of ministers, journalists, lawyers and activists tapped by Pegasus spyware. Indians should worry

What can Pegasus do?

When a smartphone, PC, laptop, or tablet is infected with Pegasus, a remote user is capable of accessing all the information on it. The deployer can read text messages and email, track calls, access the calendar, collect passwords, look at one’s browser history, trace GPS location, listen to conversations using the device’s microphone, and can even see through phone’s camera. In fact, they can do everything one can do one’s own cell phone,  apart from gathering information from all apps on the phone, including (but not limited to) iMessage, Gmail, iCloud, Facebook, WhatsApp, Signal, Telegram, WeChat and Skype. 

Pegasus also enables the keystroke monitoring of all communications from a phone (texts, emails, web searches, among others). That, combined with phone call and location tracking, alongside a compromised microphone and camera, turns the mobile into a constant surveillance device against the owner.

Though Apple iOS, with the release of its version 9.3.5 claimed to have fixed vulnerabilities against sophisticated spyware such as Pegasus, but as of now it is not clear Pegasus has also been updated to make it effective even against the latest versions of iOS and Android devices.  

This spyware has been in use for a significant amount of time based on some of the indicators within the code. For one, the code shows signs of a kernel mapping table that has values all the way back to iOS 7. 

U.S.-based private IT security company Lookout provided details of three vulnerabilities:

  • CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel’s location in memory.
  • CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.
  • CVE-2016-4657: Memory corruption in the Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.

Also read: Is It the Last Flight for Pegasus? [Part–I]

2019 Whatsapp hack in India

In late 2019, it was found WhatsApp had been infiltrated to hack a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved.

On October 30, 2019, WhatsApp’s parent company Facebook confirmed that Pegasus was used to target Indian journalists, activists, lawyers and senior government officials. The journalists and activists were believed to have been targets of surveillance for a two-week period prior to the Lok Sabha elections. (Incidentally, several of the Indian numbers identified in the Pegasus Project revelations were added to the target list in the run up to the Lok Sabha elections as well.) WhatsApp even notified the infected users with following message:

Further, the Indian IT Ministry sought a detailed response from WhatsApp on the issue. Whatsapp responded that it had alerted the Indian government about the security compromise on two occasions — once in May and again in September 2019. It verified that in all, 121 individuals had been targeted by the spyware. 

Some of the Indian individuals targeted by Pegasus via Whatsapp in 2019 – academic Anand Teltumbde, Nagpur lawyers Nihalsing Rathod Jagdish Meshram, adivasi rights activist Bela Bhatia, lawyer and activist Shalini Gera, activist Rupali Jadhav, and P Pavana, the daughter of Bhima Koregaon case accused – have also been found in the latest leaked list of targets uncovered by the Pegasus Project.

A Right to Information (RTI) application was filed in October 2019 by journalist Saurav Das in which he asked whether the Indian government had purchased or given a purchase order for the Pegasus spyware.

In response, the Ministry of Home Affairs stated: “Please refer to your online RTI application dated 23.10.2019 received by the undersigned CPIO [Central Public Information Officer] on 24.10.2019. It is informed that no such information is available with the undersigned CPIO.”

How spyware are marketed

The best way to understand the esoteric world of spyware and the business pattern of their parent companies across the globe is to go through a leaked project proposal published by the Israeli newspaper TheMarker of another mercenary spyware vendor from Israel, Saito Tech Ltd. a.k.a. Candiru, which is a secretive Israel-based company that sells “untraceable” spyware exclusively to governments. Reportedly, their spyware can infect and monitor mobile devices, computers, and cloud accounts. 

The report clearly shows how these spyware companies are playing with our privacy and making millions of dollars by offering different vectors (or methods that a malicious code uses to infect a computer), including malicious links, man-in-the-middle attacks, and physical attacks. A browser-based zero-click vector named “Sherlock” is also offered, that Candiru claims works on Windows, iOS, and Android. 

Like many of its peers, Candiru seems to license its spyware by the number of concurrent infections, that is, the number of targets that can be under active surveillance at any one point of time. Similar to the NSO Group, Candiru also seems to limit its clientele to a group of approved countries.

The €16 million project proposal allows for unlimited spyware infection attempts, but the monitoring of only 10 devices at one time. By paying €1.5 million more, the client can monitor 15 additional devices simultaneously, as well as infect devices in another country. With another €5.5 million, the client gains the ability to monitor 25 additional devices simultaneously, and carry surveillance in five more countries.

Some screenshots of said report are furnished below:

 

The proposal states that the product will operate in “all agreed upon territories”, then lists a set of restricted countries, including the U.S, China, Israel, Iran, and Russia.  This same list of restricted countries has previously been reportedly mentioned by the NSO Group. 

Even then, Microsoft found Candiru victims in Iran, which shows suggesting that Candiru products can operate in restricted territories in certain situations as well. Moreover, targeting infrastructure revealed in the leaked document includes domains disguised as the Russian postal service.

According to the leaked document, the spyware can exfiltrate private data from several apps and accounts, such as Gmail, Facebook, Skype, and Telegram. The spyware is also capable of accessing browsing history and passwords, use the target’s microphone and webcam, and record screen shots. Data capturing capability for additional apps, such as Twitter, Viber and Signal, is available to be purchased as an add-on.

Figure 4: Customers can pay additional money to capture data from specific apps.

For an additional €1.5 million fee, customers can buy a remote shell capability, which provides them full access to execute any command or program on the target’s device. Such capability is especially troubling, given that it could be misused to download files, such as planting false/fake incriminating evidence, onto a compromised computer.

The American forensic consulting firm Arsenal Consulting has revealed in two separate reports this year that evidence found in the computers of Rona Wilson and Surendra Gadling, two of the Bhima Koregaon case arrestees, was planted into their devices through sophisticated hacking of exactly this kind.

Also read: Explainer: Arsenal Report on Surendra Gadling

As of now, more questions than answers abound about the use of Pegasus and other similar spyware by governments across the world, including in India. Hopefully, the coming few days and weeks will yield some answers, because the integrity of our democracy hinges on them.

(Prashant  Pandey is a digital forensic engineer who has worked with various law enforcement agencies. He was a whistleblower in the Vyapam Scam in Madhya Pradesh. He has filed a petition in the Supreme Court against illegal snooping. The views expressed are personal.)